Cyber Resilience

CVE-2022-49548

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 22.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49548 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2022-49548 is a vulnerability in the Linux kernel's BPF subsystem, specifically within the bpf_trampoline_get_progs() function. The issue arises because the cnt value used in the 'cnt >= BPF_MAX_TRAMP_PROGS' check excludes BPF_TRAMP_MODIFY_RETURN BPF programs. As a result, the number of attached BPF_TRAMP_MODIFY_RETURN programs to a trampoline can exceed BPF_MAX_TRAMP_PROGS, causing an array overflow during the assignment '*progs++ = aux->prog'. The progs array in the bpf_tramp_progs struct is limited to holding at most BPF_MAX_TRAMP_PROGS programs. This flaw is classified under CWE-129 (Improper Validation of Array Index) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by attaching an excessive number of BPF_TRAMP_MODIFY_RETURN programs to a BPF trampoline. This triggers the miscounted check, leading to the array overflow in bpf_trampoline_get_progs(). Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (high confidentiality impact), modification of system state (high integrity impact), and denial of service or system crashes (high availability impact), all with low attack complexity and no user interaction required.

Mitigation is provided through patches in the Linux kernel stable trees. Relevant commits include 32c4559c61652f24c9fdd5440342196fe37453bc, 4f8897bcc20b9ae44758e0572538d741ab66f0dc, 7f845de2863334bed4f362e95853f5e7bc323737, a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d, and e36452d5da6325df7c10cffc60a9e68d21e2606d, available at git.kernel.org/stable. Security practitioners should update affected Linux kernels to versions incorporating these fixes to prevent exploitation.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix potential array overflow in bpf_trampoline_get_progs() The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of the attached BPF_TRAMP_MODIFY_RETURN bpf…

more

programs in a trampoline can exceed BPF_MAX_TRAMP_PROGS. When this happens, the assignment '*progs++ = aux->prog' in bpf_trampoline_get_progs() will cause progs array overflow as the progs field in the bpf_tramp_progs struct can only hold at most BPF_MAX_TRAMP_PROGS bpf programs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel array overflow in BPF trampoline allows low-priv user to achieve privilege escalation with high impact on confidentiality, integrity and availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-49170Same product: Linux Linux Kernel
CVE-2022-49186Same product: Linux Linux Kernel
CVE-2026-23354Same product: Linux Linux Kernel
CVE-2025-71100Same product: Linux Linux Kernel
CVE-2025-21692Same product: Linux Linux Kernel
CVE-2022-49720Same product: Linux Linux Kernel
CVE-2023-52987Same product: Linux Linux Kernel
CVE-2023-53019Same product: Linux Linux Kernel
CVE-2022-49478Same product: Linux Linux Kernel
CVE-2025-71143Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.7 — 5.10.120 · 5.11 — 5.15.45 · 5.16 — 5.17.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the Linux kernel flaw via patches that fix the BPF trampoline program count check to prevent array overflow in bpf_trampoline_get_progs().

prevent

Prohibits or restricts unnecessary BPF trampoline functionality to prevent low-privilege attackers from attaching excessive BPF_TRAMP_MODIFY_RETURN programs.

detect

Enables vulnerability scanning to identify the presence of CVE-2022-49548 in the Linux kernel BPF subsystem for prompt patching.

References